Cyber Security Breaches Survey 2020: Top 10 highlights

Last week, the Government Department for Digital, Culture, Media and Sport (DCMS) released its latest report: the Cyber Security Breaches Survey 2020. The report has some great insights into the latest cybersecurity challenges and trends. Rather than having to read all 54 pages, we’ve gone through the report and picked out 10 highlights.

1. More than half of organisations hold personal information electronically

The Cyber Security Breaches Survey highlights first and foremost the growing digital footprint of many organisations. Whether it’s the use of websites, email accounts, online payments or storage of personal data, businesses are increasingly moving towards modern digital options.

The most interesting fact is that 55% of businesses and 56% of charities are now holding personal information about customers electronically.

This method of storage is unquestionably more efficient and effective, but also brings heightened cybersecurity risks. More so for Finance and Insurance businesses, where 77% of organisations hold customer information online, compared to the 55% overall.

2. Cybersecurity is a top priority for Finance and Insurance

It’s always interesting to understand which sectors are placing more focus on cybersecurity investment. In this survey, 71% of Finance and Insurance businesses placed cybersecurity as a “very high priority” versus only 40% of overall businesses.

But why is cybersecurity so important to this industry? Most likely because this sector is often a common target for cybercriminals due to the large amount of personally identifiable information they hold. Also, cyber fraud is an increasing issue for businesses and individuals of the public, meaning cybersecurity has to be at the forefront of most banks and financial institutions.

3. Senior Managers aren’t informed on cyber

According to the report, a staggering 17% of senior managers are “never” updated on actions taken around cybersecurity (12% for charities). This is compared to 4% and 3% respectively of senior managers (directors, trustees etc) who are informed BUT only when there is a breach.

The lack of communication around cybersecurity is likely due to the fact that 63% of businesses and 55% of charities have no board members or trustees with a responsibility for cybersecurity.

IRM has preached for a long time about the importance of cybersecurity with the board and/or trustees. Senior managers need to be frequented with the business’ threat landscape, understand what the business is doing proactively to protect itself and understand how its customers are protected. Without communication between cybersecurity managers and senior management (and without responsibility at the top of the tree) cybersecurity will never become a true priority. This, in turn, means it will never receive the funding it requires.

4. Change is reactive, not proactive

One of the frequent mentions throughout the Cyber Security Breaches Survey is the impact of the GDPR. The legislation enforced a reactive response for many organisations in cybersecurity, leading to an increase in awareness, training and investment. This very example underpins the idea that there is still a tendency to be reactive in cybersecurity rather than proactive.

Putting GDPR aside, the survey shows that, when an organisation is impacted by a breach or attack, the top reaction is to implement new measures needed for cybersecurity (27% of businesses and 42% of charities). It’s easier said then done to predict what measures you need in place to avoid a cyber-attack before you have one, but conducting more regular health-checks or tests would certainly help.

Linking back to highlight #3 regarding lack of communication bottom-up, 91% of overall businesses do communicate with their senior managers when there is a disruptive breach. Again, this highlights a reactive approach where cybersecurity managers are only involving senior managers at the disruption stage when they need investment or support. Where possible, cybersecurity owners should use examples from other companies to highlight the potential impact of a breach or attack, shaping the understanding of senior management and encouraging investment in proactive resources.

During the survey, when researchers asked respondents what activities they had carried out in the last 12 months to identify cybersecurity risks (including tools for security monitoring, internal audits, health checks, risk assessments, external audits etc) a scary 36% of businesses and 39% of charities said they had done nothing at all.

Whilst it wasn’t an exhaustive list of actions, you may expect the average business to be conducting some level of risk assessment or health check of IT operations and information security, but the survey results of over 1,600 organisations says otherwise. This is a cause for concern. Perhaps these organisations think they are untouchable or are not affected by cybersecurity risks, or perhaps they cannot gather the budget to invest in such actions.

6. Only 9% of businesses consider risks in their wider supply chain

The survey shows that most organisations, particularly large firms, are good at carrying out risk assessments amongst their immediate suppliers (43%). But there is a steady incline as the organisations get smaller, meaning only 9% of the businesses overall consider the risks in their wider supply chain.

There’s no doubt that this lack of consideration is down to little resource, but it leaves organisations open to huge risks. The report even raises cause for concern over the definition of an immediate supplier or wider supply chain. Even when organisations who address cybersecurity as a priority were questioned, they struggled to comprehend that suppliers go further than IT providers, internet and digital service providers. For most organisations, suppliers presenting risks to your business are usually suppliers who you interact with digitally and share data with, yet this concept isn’t widely shared.

7. Cloud is where it’s at

Unsurprisingly, there is an increase in organisations moving towards the cloud. In 2018’s report, 58% of businesses had backed up their data via the cloud, compared to 69% today. For charities, the contrast is even starker. Cloud backups is at 61% compared to 38% in 2018.

Why are people turning to the cloud? There are so many businesses now offering support for companies wishing to move data to the cloud that it is becoming much more common. The key benefits include back-up/recovery of data to minimise the impact after a cyber-attack and the ease-of-access through a broad network.

8. Smoke screens and mirrors: practice what you preach?

Over a quarter (28%) of businesses in the survey appear to be covered in some shape or form by an cybersecurity insurance policy. This is a policy that usually provides assistance with incident response, legal support and insurance against loss of earnings if a cyber-attack were to occur.

Whilst these organisations have cyber insurance policies in place, they didn’t necessarily even know what they were covered for. This eagerness to sign up for policies without understanding the true output creates huge risks. It creates the risk of it becoming a tick-box exercise and a cover-all for cybersecurity as a fall-back, rather than a proactive approach to change processes to avoid a breach in the first place.

Furthermore, only 38% of businesses have a formal policy covering cybersecurity risks and 39% have a business continuity plan (42% and 25% respectively for charities). This is despite the fact that 80% of businesses and 74% of charities state cybersecurity as a ‘high priority’. It’s important to practice what we preach when it comes to implementing cybersecurity best practice.

9. Phishing still rules

No surprises here, but phishing still rules when it comes to the top methods for cyber-attacks or breaches in the last 12 months (86% for businesses and 85% for charities). This won’t come as a shock considering the level of news stories we see covering cyber-attacks enabled by an employee opening a fraudulent email or being sent to a fraudulent website.

Despite phishing being the top method, the data also shows that the methods being used is becoming more varied. This will make it harder for security operations centres to keep track and manage the different threats.

10. Reporting blockers still remain

It may seem obvious to report an cybersecurity incident once it’s happened, but the survey shows that many organisations are still failing to report them. There is some uncertainty around the question poised in the survey – for example, does ‘reporting’ refer to reporting it internally, to banks, insurers or staff? Despite this, when we consider whether organisations have reported cyber incidents to external wider authorities (such as the ICO or Action Fraud) there are several barriers raised by the respondents including:

It wouldn’t make a difference as it would near impossible to catch the perpetrator

Lack of response from authorities experienced in previous reports, so they don’t want to waste time reporting again

Uncertainty on how it will affect the organisation (reputation, financials, penalties etc)

Internal politics whereby one team has been involved in responding into the cyber incident

A general lack of awareness on who they should be reporting the incident to

We hope you have found this summary helpful. Should you wish to read the DCMS’s full report, you can read it here.

To find out more about how IRM is supporting organisations through some of the challenges presented in this report, fill in our contact form and we’ll be in touch.